Module Name: src Committed By: snj Date: Mon Jun 29 23:55:23 UTC 2009
Modified Files: src/games/hack [netbsd-4]: hack.do_name.c hack.h hack.invent.c hack.main.c hack.rip.c hack.topl.c hack.unix.c Log Message: Pull up following revision(s) (requested by dholland in ticket #1331): games/hack/hack.do_name.c: revision 1.10 games/hack/hack.h: revision 1.13 via patch games/hack/hack.invent.c: revision 1.13 games/hack/hack.main.c: revision 1.13 games/hack/hack.rip.c: revision 1.11 games/hack/hack.topl.c: revision 1.11 games/hack/hack.unix.c: revision 1.13 Fix two serious string-handling bugs (one exploitable, one probably exploitable) and also add proper checking/paranoia in several other places. To generate a diff of this commit: cvs rdiff -u -r1.6.16.1 -r1.6.16.2 src/games/hack/hack.do_name.c cvs rdiff -u -r1.10 -r1.10.16.1 src/games/hack/hack.h cvs rdiff -u -r1.10.4.1 -r1.10.4.2 src/games/hack/hack.invent.c cvs rdiff -u -r1.9.16.1 -r1.9.16.2 src/games/hack/hack.main.c \ src/games/hack/hack.unix.c cvs rdiff -u -r1.7.16.1 -r1.7.16.2 src/games/hack/hack.rip.c \ src/games/hack/hack.topl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/games/hack/hack.do_name.c diff -u src/games/hack/hack.do_name.c:1.6.16.1 src/games/hack/hack.do_name.c:1.6.16.2 --- src/games/hack/hack.do_name.c:1.6.16.1 Mon Jun 29 23:53:01 2009 +++ src/games/hack/hack.do_name.c Mon Jun 29 23:55:23 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: hack.do_name.c,v 1.6.16.1 2009/06/29 23:53:01 snj Exp $ */ +/* $NetBSD: hack.do_name.c,v 1.6.16.2 2009/06/29 23:55:23 snj Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.do_name.c,v 1.6.16.1 2009/06/29 23:53:01 snj Exp $"); +__RCSID("$NetBSD: hack.do_name.c,v 1.6.16.2 2009/06/29 23:55:23 snj Exp $"); #endif /* not lint */ #include <stdlib.h> @@ -284,7 +284,7 @@ gn = ghostnames[rn2(SIZE(ghostnames))]; if (!rn2(2)) (void) - strcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn); + strlcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn, mtmp->mxlth); } (void) snprintf(buf, sizeof(buf), "%s's ghost", gn); } Index: src/games/hack/hack.h diff -u src/games/hack/hack.h:1.10 src/games/hack/hack.h:1.10.16.1 --- src/games/hack/hack.h:1.10 Tue Jan 27 20:30:29 2004 +++ src/games/hack/hack.h Mon Jun 29 23:55:23 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: hack.h,v 1.10 2004/01/27 20:30:29 jsm Exp $ */ +/* $NetBSD: hack.h,v 1.10.16.1 2009/06/29 23:55:23 snj Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -202,7 +202,7 @@ extern char SAVEF[]; extern char fut_geno[60]; /* idem */ extern char genocided[60]; /* defined in Decl.c */ -extern char lock[]; +extern char lock[PL_NSIZ + 4]; extern char mlarge[]; extern char morc; extern char nul[]; Index: src/games/hack/hack.invent.c diff -u src/games/hack/hack.invent.c:1.10.4.1 src/games/hack/hack.invent.c:1.10.4.2 --- src/games/hack/hack.invent.c:1.10.4.1 Mon Jun 29 23:53:01 2009 +++ src/games/hack/hack.invent.c Mon Jun 29 23:55:23 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: hack.invent.c,v 1.10.4.1 2009/06/29 23:53:01 snj Exp $ */ +/* $NetBSD: hack.invent.c,v 1.10.4.2 2009/06/29 23:55:23 snj Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,9 +63,10 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.invent.c,v 1.10.4.1 2009/06/29 23:53:01 snj Exp $"); +__RCSID("$NetBSD: hack.invent.c,v 1.10.4.2 2009/06/29 23:55:23 snj Exp $"); #endif /* not lint */ +#include <assert.h> #include <stdlib.h> #include "hack.h" #include "extern.h" @@ -578,7 +579,7 @@ char buf[BUFSZ]; char *ip; char sym; - int oletct = 0, iletct = 0; + unsigned oletct = 0, iletct = 0; boolean allflag = FALSE; char olets[20], ilets[20]; int (*ckfn)(struct obj *) = @@ -609,6 +610,7 @@ if (invent) ilets[iletct++] = 'a'; ilets[iletct] = 0; + assert(iletct < sizeof(ilets)); } pline("What kinds of thing do you want to %s? [%s] ", word, ilets); @@ -637,6 +639,7 @@ olets[oletct++] = sym; olets[oletct] = 0; } + assert(oletct < sizeof(olets)); } else pline("You don't have any %c's.", sym); } @@ -754,7 +757,7 @@ { struct obj *otmp; char ilet; - int ct = 0; + unsigned ct = 0; char any[BUFSZ]; morc = 0; /* just to be sure */ @@ -777,6 +780,7 @@ ilet = 'A'; } any[ct] = 0; + assert(ct < sizeof(any)); cornline(2, any); } @@ -786,7 +790,7 @@ /* Changed to one type only, so he doesnt have to type cr */ char c, ilet; char stuff[BUFSZ]; - int stct; + unsigned stct; struct obj *otmp; boolean billx = inshop() && doinvbill(0); boolean unpd = FALSE; @@ -812,6 +816,7 @@ if (billx) stuff[stct++] = 'x'; stuff[stct] = 0; + assert(stct < sizeof(stuff)); if (stct > 1) { pline("What type of object [%s] do you want an inventory of? ", @@ -848,6 +853,8 @@ ilet = 'A'; } stuff[stct] = '\0'; + assert(stct < sizeof(stuff)); + if (stct == 0) pline("You have no such objects."); else Index: src/games/hack/hack.main.c diff -u src/games/hack/hack.main.c:1.9.16.1 src/games/hack/hack.main.c:1.9.16.2 --- src/games/hack/hack.main.c:1.9.16.1 Mon Jun 29 23:53:01 2009 +++ src/games/hack/hack.main.c Mon Jun 29 23:55:23 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: hack.main.c,v 1.9.16.1 2009/06/29 23:53:01 snj Exp $ */ +/* $NetBSD: hack.main.c,v 1.9.16.2 2009/06/29 23:55:23 snj Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.main.c,v 1.9.16.1 2009/06/29 23:53:01 snj Exp $"); +__RCSID("$NetBSD: hack.main.c,v 1.9.16.2 2009/06/29 23:55:23 snj Exp $"); #endif /* not lint */ #include <signal.h> @@ -302,7 +302,8 @@ } *gp = 0; } else - (void) strcpy(genocided, sfoo); + (void) strlcpy(genocided, sfoo, + sizeof(genocided)); (void) strcpy(fut_geno, genocided); } } @@ -481,12 +482,12 @@ int foo; { /* construct the string xlock.n */ - char *tf; + size_t pos; - tf = lock; - while (*tf && *tf != '.') - tf++; - (void) sprintf(tf, ".%d", foo); + pos = 0; + while (lock[pos] && lock[pos] != '.') + pos++; + (void) snprintf(lock + pos, sizeof(lock) - pos, ".%d", foo); } /* Index: src/games/hack/hack.unix.c diff -u src/games/hack/hack.unix.c:1.9.16.1 src/games/hack/hack.unix.c:1.9.16.2 --- src/games/hack/hack.unix.c:1.9.16.1 Mon Jun 29 23:53:01 2009 +++ src/games/hack/hack.unix.c Mon Jun 29 23:55:23 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: hack.unix.c,v 1.9.16.1 2009/06/29 23:53:01 snj Exp $ */ +/* $NetBSD: hack.unix.c,v 1.9.16.2 2009/06/29 23:55:23 snj Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.unix.c,v 1.9.16.1 2009/06/29 23:53:01 snj Exp $"); +__RCSID("$NetBSD: hack.unix.c,v 1.9.16.2 2009/06/29 23:55:23 snj Exp $"); #endif /* not lint */ /* This file collects some Unix dependencies; hack.pager.c contains some more */ @@ -193,11 +193,11 @@ if ((np = strchr(path, ':')) == NULL) np = path + strlen(path); /* point to end str */ if (np - path <= 1) /* %% */ - (void) strcpy(filename, name); + (void) strlcpy(filename, name, sizeof(filename)); else { - (void) strncpy(filename, path, np - path); - filename[np - path] = '/'; - (void) strcpy(filename + (np - path) + 1, name); + (void) snprintf(filename, sizeof(filename), + "%.*s/%s", + (int)(np - path), path, name); } if (stat(filename, &hbuf) == 0) return; Index: src/games/hack/hack.rip.c diff -u src/games/hack/hack.rip.c:1.7.16.1 src/games/hack/hack.rip.c:1.7.16.2 --- src/games/hack/hack.rip.c:1.7.16.1 Mon Jun 29 23:53:01 2009 +++ src/games/hack/hack.rip.c Mon Jun 29 23:55:23 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: hack.rip.c,v 1.7.16.1 2009/06/29 23:53:01 snj Exp $ */ +/* $NetBSD: hack.rip.c,v 1.7.16.2 2009/06/29 23:55:23 snj Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.rip.c,v 1.7.16.1 2009/06/29 23:53:01 snj Exp $"); +__RCSID("$NetBSD: hack.rip.c,v 1.7.16.2 2009/06/29 23:55:23 snj Exp $"); #endif /* not lint */ #include "hack.h" @@ -101,7 +101,7 @@ !strcmp(killer, "starvation") ? "" : strchr(vowels, *killer) ? " an" : " a"); center(8, buf); - (void) strcpy(buf, killer); + (void) strlcpy(buf, killer, sizeof(buf)); { int i1; if ((i1 = strlen(buf)) > 16) { Index: src/games/hack/hack.topl.c diff -u src/games/hack/hack.topl.c:1.7.16.1 src/games/hack/hack.topl.c:1.7.16.2 --- src/games/hack/hack.topl.c:1.7.16.1 Mon Jun 29 23:53:01 2009 +++ src/games/hack/hack.topl.c Mon Jun 29 23:55:23 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: hack.topl.c,v 1.7.16.1 2009/06/29 23:53:01 snj Exp $ */ +/* $NetBSD: hack.topl.c,v 1.7.16.2 2009/06/29 23:55:23 snj Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.topl.c,v 1.7.16.1 2009/06/29 23:53:01 snj Exp $"); +__RCSID("$NetBSD: hack.topl.c,v 1.7.16.2 2009/06/29 23:55:23 snj Exp $"); #endif /* not lint */ #include <stdlib.h> @@ -216,7 +216,7 @@ { char pbuf[BUFSZ]; char *bp = pbuf, *tl; - int n, n0; + int n, n0, tlpos, dead; if (!line || !*line) return; @@ -244,8 +244,9 @@ if (flags.toplin == 1) more(); remember_topl(); + dead = 0; toplines[0] = 0; - while (n0) { + while (n0 && !dead) { if (n0 >= CO) { /* look for appropriate cut point */ n0 = 0; @@ -259,7 +260,14 @@ if (!n0) n0 = CO - 2; } - (void) strncpy((tl = eos(toplines)), bp, n0); + tlpos = strlen(toplines); + tl = toplines + tlpos; + /* avoid overflow */ + if (tlpos + n0 > (int)sizeof(toplines) - 1) { + n0 = sizeof(toplines) - 1 - tlpos; + dead = 1; + } + (void) memcpy(tl, bp, n0); tl[n0] = 0; bp += n0; @@ -269,7 +277,7 @@ n0 = strlen(bp); if (n0 && tl[0]) - (void) strcat(tl, "\n"); + (void) strlcat(toplines, "\n", sizeof(toplines)); } redotoplin(); }